Add a basic seccomp profile to zhm

Prevent zhm from doing some evil things while it runs (e.g., ptracing)
by implementing a basic seccomp-bpf filter. The filter still allows a
lot of potentially dangerous operations (e.g., unlink(2)), but this is
a good start.

The filter is based partly on a close reading of the zhm and libhesiod
source code and partly on empirical evidence from running zhm under
strace. I’ve run zhm with this filter for several days without
incident, but some edge cases (e.g., server failover) are still
untested.

configure decides whether or not to enable seccomp by looking for
libseccomp. By default, it treats seccomp as an enhancement and enables
it opportunistically. Builders can force seccomp to be enabled or
disabled by passing --with-seccomp or --without-seccomp, respectively,
to configure.

1 files changed, 21 insertions, 1 deletions

diff --git a/configure.ac b/configure.ac
index dd0dc5a..cb0d568 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,7 +264,27 @@ if test "x$with_ares" != "xno"; then
 			     AC_MSG_ERROR(libcares not found)))
 fi
 AC_SUBST(ARES_LIBS)
-		    
+
+AC_ARG_WITH(seccomp,
+	[AS_HELP_STRING([--without-seccomp], [Disable seccomp])
+AS_HELP_STRING([--with-seccomp=PREFIX], [Specify location of libseccomp])],
+	[seccomp="$withval"], [seccomp=maybe])
+AS_IF([test "x$seccomp" != "xno"], [
+	AS_IF([test "x$seccomp" != "xyes" && test "x$seccomp" != "xmaybe"], [
+		CPPFLAGS="$CPPFLAGS -I$seccomp/include"
+		LDFLAGS="$LDFLAGS -I$seccomp/lib"
+	])
+	AC_CHECK_LIB(seccomp, seccomp_init, [
+		SECCOMP_LIBS="-lseccomp"
+		AC_DEFINE(HAVE_SECCOMP, 1,
+			[Define to compile with libseccomp support.])
+	], [
+		AS_IF([test "x$seccomp" != "xmaybe"],
+			AC_MSG_ERROR([libseccomp not found]))
+	])
+])
+AC_SUBST(SECCOMP_LIBS)
+
 AC_PROG_GCC_TRADITIONAL
 AC_FUNC_VPRINTF
 AC_FUNC_GETPGRP